Expert advice on cybersecurity, cybersafety and cybercrime. Using real incidents, I explain why cyber risks occur, what form they take, and how they affect cybercitizens as individuals, employees, citizens and parents. Opinions expressed in this blog represent my personal views

Pages

Monday, July 8, 2013

Should security social workers test websites without authorization to prove that they are insecure?

Earlier this
month, the Electronic Frontier Foundation filed an appeal against the 41 month
conviction of Andrew “Weev” Auernheimer, who along with a colleague exploited a
hole in AT&T’s public website to siphon of 114,000 email addresses of
AT&T’s ipad customers. Andrew erred in sending these email addresses to
“Gawker” which published a few of them, prompting an investigation. Andrew was charged
with identity theft and felony under the Computer Fraud and Abuse Act of 1986
(CFAA). Andrew’s colleague who wrote the script the “iPad 3G Account Slurper”
which extracted the email addresses pleaded guilty and was not sentenced.

On June 6 , 2103 mainstream Indian
media went ballistic on a blog post by a Cornell student of Indian origin who had scraped the entire ICSE Class
X and ISC Class 12thresult
off an online website, and analyzed the marks distribution. Luckily for the
student, neither the 1, 50,000 students or the council of Indian School
Certificate Examination (CICSE) board filed a case. The hacker fortuitiously did not
disclose the data online as Andrew did.

In both these
events the hackers claimed in defense that their act could not be equated to a
hack, as they scraped data that was publicly available for anyone with
reasonable technical knowledge. Notwithstanding, that in both these cases a
script was written to extract bulk data, using randomized inputs.

There are
security professionals and firms who test a company’s websites without
authorization and utilize found vulnerabilities as a sales pitch. This practice
prevalent in the early days of the dotcom era was acceptable to firms, who did
not spend money in routine security assessments, as the largest risk was
website defacements. At that time, amateur hackers were a nuisance to business,
nothing more. Nowadays, the risk and benefits of cyber crime are far bigger and
it is difficult to distinguish between well meaning professionals and crooks.

Should this
practice be encouraged? I believe not. Should people like Andrew Auernheimer or
Aaron Swartz be punished severely? I believe not. This is where an informed
and aware judiciary has to draw the line. In first instance of new forms of crime,
sentences are handed out to set an example.This in my view is unjust to the person who was caught first, as others
who follow may be more fortunate.

On a similar
note, people and companies who do not take steps to protect their net infrastructure
and customer data should be penalized. The fault for not using an encrypted
wifi or not changing the wifi default password or for not using an update
antirust or patching a computer should squarely rest on the owner, as its
impact can have consequence for other people, firms or even national security.

Product
vendors have found a way to motivate security researchers through legitimized
bug finding through bug bounty programs. Bug bounty programs offer a bounty,
which may be up to 1,00,000 US$ for every security bug found and disclosed
responsibly. Responsible disclosure allows the product vendor time to fix the
vulnerability before public disclosure. Such programs are unsuitable for
companies and unauthorized non professional testing has the ability to create
site outages.

Awards

About Me

Security author and passionate blogger @LuciusonSecurity writing on risks that affect Internet users such as cyber crime, defamation, impersonation, privacy and security. Working hard to reduce cyber risks to some of the world's largest businesses. Find me on Twitter @luciuslobo or Linkedin at http://in.linkedin.com/in/luciuslobo